patch 5 debuginfod: prometheus metrics

Frank Ch. Eigler
Mon Nov 18 16:48:00 GMT 2019

Hi -

> > > see it is already in a comment in the code. Best to also add it as See
> > > also in the docs.
> > 
> > OK.
> Thanks, that would be good.


> > > > +control.  The \fI/metrics\fP webapi endpoint is probably not
> > > > +appropriate for disclosure to the public.
> > > 
> > > So, should there be an option to turn it off?
> > 
> > IMHO not necessary.  The security section already advises against
> > exposing an unprotected debuginfod server to the public.  A front-end
> > reverse-proxy would easily filter requests to /metrics.
> I think defense in depth is not a bad thing.
> You already have local users to which it is exposed.

Local users can already run "ps awux" to see the same semi-sensitive
command line arguments.

> And it would also make the server do slightly less work.

Maybe, but if it's a serious/public enough installation to worry about
configuration privacy, then it's also bound to be important enough to
be be monitored, so its admin would not turn this off.

> Note that the current code defines tid () as syscall(SYS_getpid).
> Should be SYS_gettid.


- FChE

More information about the Elfutils-devel mailing list